设置SOLR SSL属性 [英] Setting SOLR SSL properties
问题描述
当我使用提供的Apache SOLR启动脚本(版本6.6.0)时,该脚本创建并执行一个Java命令行,该命令行具有两组SSL属性,其相关元素设置为相同的值.一组具有类似javax.net.ssl.*的名称,而另一组具有类似solr.jetty.*的名称.例如:
When I use the provided Apache SOLR startup script (version 6.6.0), the script creates and then executes a java command line that has two sets of SSL properties who's related elements are set to the same values. One set has names like javax.net.ssl.* while the other set has names like solr.jetty.*. For example:
java -server ...
-Dsolr.jetty.keystore.password=secret ...
-Djavax.net.ssl.keyStorePassword=secret ...
... -jar start.jar --module=https
我们的安全团队不允许在命令行或环境变量中传递密码,但允许将其放置在文件中,前提是该文件具有受限的访问权限.我注意到在solr/server/etc目录中有一个jetty-ssl.xml文件,可用于为所有solr.jetty.*属性(包括solr.jetty.keystore.password)提供默认值.当我从java命令行中删除所有javax.net.ssl.keyStorePassword和solr.jetty.keystore.password属性并用我的密钥库密码更新jetty-ssl.xml文件时,SOLR似乎以该文件中包含的默认密钥库密码开始.然后,我可以使用浏览器连接到https://localhost:8983/solr/#并正常访问SOLR Admin页面.
Our security team does not allow passwords to be passed along on the command line or in environment variables but will allow them to be placed in a file provided the file has restricted access permissions. I noticed that there is a jetty-ssl.xml file in the solr/server/etc directory that can be used to provide default values to all the solr.jetty.* properties including solr.jetty.keystore.password. When I remove all the javax.net.ssl.keyStorePassword and solr.jetty.keystore.password properties from the java command line and update the jetty-ssl.xml file with my keystore password, SOLR appears to start with the default keystore password contained in that file. I can then connect with my browser to https://localhost:8983/solr/# and access the SOLR Admin page just fine.
SOLR独立产品或SOLR云产品中是否全部使用了javax.net.ssl.*属性?它们是否在浏览器之外的后台用于SOLR服务器连接,以连接到其他进程(如zookeeper)?我可以在源代码中看到它们的唯一参考是在solrj客户端中的solr嵌入式代码中.
Are the javax.net.ssl.* properties used at all in the SOLR standalone or SOLR cloud products? Are they used behind the scenes outside of the browser to SOLR server connections to connect to other processes like zookeeper? The only reference to them I can see to them in the source code is in the solr embedded code that is part of the solrj client.
推荐答案
是的,solr.jetty服务器端和javax.net.ssl.*客户端属性都被SOLR使用.对于某些操作(例如集合创建),SOLR似乎会自行连接,当它这样做时,它将尝试通过SSL与javax.net.ssl.*属性值进行连接.
Yes, both the solr.jetty server side and javax.net.ssl.* client side properties are used by SOLR. For certain operations, like collection creation, SOLR appears to connect to itself and when it does so it tries to connect via SSL with the javax.net.ssl.* property values.
为避免在命令行或环境变量中传递属性,我想到的解决方案是创建一个仅具有premain方法的javaagent类.在start.jar中main之前运行的premain方法中,我读取了一个包含秘密" SSL属性的属性文件,例如javax.net.ssl.keyStorePassword.然后,代理将该键/值添加到Java System属性中.
As far as avoiding passing the properties on the command line or in an environment variable, the solution I came up with is to create a javaagent class that only has a premain method. In this premain method, which runs before main in start.jar, I read a properties file containing the "secret" SSL properties, like javax.net.ssl.keyStorePassword. The agent then adds that key/value to the Java System properties.
因此,当main启动时,所有SSL属性都是已知的,并且尚未在命令行或环境变量中公开.显然,为了维护安全性,必须限制对属性文件的所有权和权限.可以将以下内容添加到SOLR java命令行中,以确保代理程序运行并可以作为参数访问属性文件:
Thus when main starts all the SSL properties are known and have not been exposed to the command line or in environment variables. Clearly one must limit ownership and permissions on the properties file in order to maintain security. The following can be added to the SOLR java command line to make sure the agent runs and has access to the properties file as an argument:
java -javaagent:ssl-agent.jar=/path/to/ssl/properties/file ... -jar start.jar ...
请参见此处有关编写Java代理的信息.
See here for info on writing java agents.
这篇关于设置SOLR SSL属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
